I'm using rdpcap function of Scapy to read a PCAP file.
I also use the module described in a link to HTTP support in Scapy which is needed in my case, as I have to retrieve all the HTTP requests and responses and their related packets.
I noticed that parsing a large PCAP file the rdpcap function takes too much time to read it.
Is there a solution to read a pcap file faster?
Scapy has another method sniff which you can use to read the pcap files too:
def method_filter_HTTP(pkt):
#Your processing
sniff(offline="your_file.pcap",prn=method_filter_HTTP,store=0)
rdpcap loads the entire pcap file to the memory. Hence it uses a lot of memory and as you said its slow. While sniff reads one packet at a time and passes it to the provided prn function. That store=0 parameter ensures that the packet is deleted from memory as soon as it is processed.
While I agree the load time is longer than one might expect, it is likely because the file is being parsed to generate an array of highly composed objects. What I've had to do was use editcap to chop up the packet captures to make reading them a bit easier. For example:
$ editcap -B 2013-05-2810:05:55 -i 5 -F libpcap inputcapture.pcap outputcapture.pcap
Please note: a full explanation of the switches of this command is available here.
Also, the -F libpcap part seemed to be necessary (at least for me) to get scapy's pcap function able to parse the file. (This is supposed to be the default pcap file output format, but this was not the case for me, for whatever reason. You can verify the file type of your input and output files with capinfos (e.g., simply enter capinfos your_capture.pcap).
Both capinfos and editcap are available with the WireShark distribution.
来源:https://stackoverflow.com/questions/10800380/scapy-and-rdpcap-function